cc30d0840f3109070e558d8c9fc113fc582e8ef91344c74e360ebbe1a62df319

General

Target

7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Size

108KB
MD5

7403f55d628688afbfd7e05cd5c27745
SHA1

db263c0be17efc4c7b53b9badb96df7cfeb4761c
SHA256

cc30d0840f3109070e558d8c9fc113fc582e8ef91344c74e360ebbe1a62df319
SHA512

212408a2293ee837da24bab9584adbe46c5d00a751143088a0d57c71b31e2c05fc26e0bbf7a8886d67dc2cfca1053689cd85e0c00b2df6c5e570d2e4423b6fa1
SSDEEP

3072:ed1qCcXqjW4yRq4XrCoa/5c268NsQA+inB1qpfYU8:edaOjy8Smo1260Q+iB18fY

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3796-0-0x0000000000400000-0x0000000000448000-memory.dmp	upx
behavioral2/files/0x00070000000234d4-14.dat	upx
behavioral2/memory/3796-36-0x0000000000400000-0x0000000000448000-memory.dmp	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\Https.pnf	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\Wdica.hiv	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\inf\Wdica.hiv	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\ws2hlp.PNF	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\inf\Https.dll	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\Https.dll	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\Wdica.sys	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\inf\Wdica.sys	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\Https.hiv	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\inf\Https.pnf	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\IME\helps.txt	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\inf\ws2hlp.PNF	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\inf\Https.hiv	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File opened for modification	C:\Windows\inf\Https.sys	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
File created	C:\Windows\inf\Https.sys	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeSystemProfilePrivilege	3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeSecurityPrivilege	3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeBackupPrivilege	3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeRestorePrivilege	3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeMachineAccountPrivilege	3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Token: SeDebugPrivilege	3796	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Wdica	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Wdica\ImagePath = "inf\\Wdica.sys"	7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7403f55d628688afbfd7e05cd5c27745_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\IME\helps.txt

Filesize
48KB

MD5
98c499fccb739ab23b75c0d8b98e0481

SHA1
0ef5c464823550d5f53dd485e91dabc5d5a1ba0a

SHA256
d9d8ce1b86b3978889466ab1b9f46778942d276922bf7533327a493083913087

SHA512
9e64ac13e18ab0a518bb85b6612520645b5ab2c9a5359ced943813ba7344714999f25ba0e52240ad2d0c2fefc76552ff43173adc46334ff0b5dba171fb58e4e6

Download Submit
C:\Windows\INF\Https.dll

Filesize
129KB

MD5
75d5d310791786c87b85bdd2a9f4f17f

SHA1
a61a250c842ca243be86c203c5dd890fa1167dd9

SHA256
7227a56c6735e055ff097dae22811b207e71af0acac730c126ae27ca433c2809

SHA512
6545cf7fdace26cbcfb2d95e24d06011f8dad14a038aaf9e3f7bc046f1504657f3c2490c7a81530c7de7fa85d3e779cdf5e78a9d695c593fee99ed2d990822fc

Download Submit
C:\Windows\INF\Https.sys

Filesize
16KB

MD5
2de012f51bb1405de2a0252b9ee956d1

SHA1
82ce85a4353bad2a76c50f475de51bd4b5aeb226

SHA256
54cba28e4813b9e3ee154d68bb77b9b5c14aa0a74549cdbfbbabeeb86ccf17fb

SHA512
c7fe6206ea3f3632a19f6c788c77d1d2bc304170b9ebabdc9d398f01e145a8af7ab17973afa3be0c390c2a2e3c3d61babbecbdba504a2b51502d5ff372e79a48

Download Submit
memory/3796-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3796-36-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download

Analysis

Sharing